Hi MHM, 

The configuration is quite straightforward:

interface GigabitEthernet0/0/0

 description Active ISP

 ip address 1.1.1.2 255.255.255.255

 ip nat outside

 ip access-group 1 in

 load-interval 30

 negotiation auto

 ip virtual-reassembly

!

interface GigabitEthernet0/0/1

 description Backup ISP

 ip address 2.2.2.2 255.255.255.255

 ip nat outside

 ip access-group 1 in

 load-interval 30

 negotiation auto

 ip virtual-reassembly

!

ip nat inside source list 100 interface GigabitEthernet0/0/1 overload

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 2.2.2.1 10

The default route in the routing table is pointing towards the active ISP but the backup ISP is being used instead.

Hope it is clearer now.

Hi Dan,

So you mean that at some point the backup link came active and the NAT entries were created and, when the original active ISP came back as primary again, since the NAT entries are already present, the traffic keep using the backup ISP even if the default route in the routing table uses the active WAN interface as outgoing interface?

Thanks

@antonio Marcia if a NAT translation is already created the router is going to use it and it does this independent of routing.   Routing will work as expected for failover but if a NAT translation is built for a connection over standy and routing says use primary, then routing happens over primary and NAT continues to use the translation that is already built.  There has to be separation between NAT and routing. 

Another example would be if you own registered address space and assign registered address a.b.c.d/32 to a loopback and advertise this address to both ISPs and use the loopback for NAT on both ISPs.   When a connection is built it gets NATTED to the loopback and routing can failover/failback and continue to use the translation over both ISPs.   This works.

What if the router built a new translation each time routing failover/failback now you have multiple translations built for a single connection.   Which one does the router use?   This will break the connection and why routing and NAT work independently.   

This is an interesting suggestion, and a creative suggested solution. And it could potentially address the issue of the OP. But I agree with MHM that I would like to see the configuration. In particular I would like to see whether the NAT uses the route map approach (with match statements for both the interface and the acl) or just the simple statement for nat.

Hi Richard,

As you can see in the configuration I pasted above, the NAT are simple statements.

Thank you for posting the configuration. Yes it is quite simple and that is the issue. When you have 2 outbound interfaces and you want to do different translation depending on the interface then the simple one line config for NAT does not work - as you are experiencing. With 2 outbound interfaces your NAT configuration must specify the correct translation for each interface. And the way to do that is to use a route map. MHM has provided a nice example of how to do that.